Client: National Aeronautics and Space Administration
The NASA IT Security (ITS) Division within the Office of the Chief Information Officer strategically manages Agency-wide security projects to correct known vulnerabilities, reduce barriers to cross-Center collaboration and provide cost-effective IT security services in support of NASA’s systems and e-Gov initiatives.
The ITS Division ensures that information technology security across NASA meets confidentiality, integrity and availability objectives for data and information to include disaster recovery and continuity of operations for systems. The ITS Division develops and maintains an information security program that ensures consistent security policy, identifies and implements risk-based security controls and tracks security metrics to gauge compliance and effectiveness.
The function is responsible for performing audits and reviews to assess compliance with security and privacy policies and procedures. NPD 2810.1, NASA Information Security Policy and NPR 2810.1 Security of Information Technology, provide more details on IT security requirements at NASA. Strong Crypto Innovations has provided business and technical support to NASA since 2008.
Client’s Challenges
The IT Security Division’s programs continue to gain prominence in both government and public forums. Fundamental challenges include:
- Integration of NIST 800-53 Revision 3 security controls
- Continuous Monitoring of NASA information systems
- Security and monitoring for NASA Web sites and applications
- Security and support for smart phones and other mobile technology
Strong Crypto Innovations (SCI) provided comprehensive IT security to NASA’s public portal (www.nasa.gov), intranet (insidenasa.nasa.gov), as well as several agency-wide web applications including the NASA Access Launchpad (Web application Single Sign-On solution), NASA IPTA/PIA Repository (Initial Privacy Threshold Analysis and Privacy Impact Assessment), NASA Spacebook (social networking site) and NASA FOIA (public and intranet Freedom Of Information Act portal).
SCI also prepared FISMA Certification and Accreditation (C&A) packages, conducted software security assurance and ethical hacking activities, revised security test plans, conducted security testing and source code analysis and developed security hardening procedures based on NASA guidance and CIS benchmarks. SCI established agency-wide web application security and compliance programs, provided web application security training and educational content for NASA users, developers, web-masters, as well as other web application stakeholders. Strong Crypto Innovations provided a broad range of services to the NASA account team including:
- Prepared FISMA Certification and Accreditation (C&A) packages
- Initiated the NASA Web Application Security Program (WASP)
- Developed software assurance strategy for Web and mobile applications
- Conducted hands-on training on HP Fortify Static Code Analyzer (SCA) tool
- Authored computer-based training (CBT), “Fundamentals of Application Security”
- Conducted Mobile Application Security Assessments, e.g., on NASA TV iOS app
- Conducted security scanning of NASA’s global public-facing Web infrastructure
- Authored whitepaper on a “Tool-based Approach to Software Security”
- Reviewed CBTs for the NASA IT Security Awareness & Training Center (ITSATC)
- Authored secure coding best practices and specific vulnerability remediation advice
- Developed and executed security test cases for NASA Access Launchpad Single Sign-on (SSO)
- Initiated a pilot of an automated application monitoring and defense capability
- Mapped application security activities to Software Assurance Maturity Model (SAMM)
- Conducted security-focused code review using HP Fortify SCA on 100+ applications
- Conducted Web application penetration testing on 100+ production applications
- Conducted periodic vulnerability scanning of COTS operating systems
- Authored information security standard operating procedures, e.g., security testing
- Reviewed intrusion detection logs and conducted incident response investigations
- Conducted secure design and architectural risk analysis of Web/mobile applications
- Contributed to continuous monitoring strategy for Web infrastructure
Results
The OCIO and IT Security Division have grown and matured to meet the changing mission requirements as defined by NASA Leadership, Congressional mandates and public scrutiny. There will be greater sharing of IT innovations across the Agency to support the scientific missions in the future and IT Security will need to put processes in place to streamline its efforts at maintaining a safe and secure environment.